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Key  topics 

Challenges  for  doing  "security" 

Security  approach  roadblocks 
New  perspectives  on  the  problem 
Maturing  your  security  approach 
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Organizational  challenges  -1 

Scope  of  security  is  the  entire  organization 

Requires  management  and  technologists  to  work 
together 

I  ndustry  bias  toward  technology  solutions 
Forces  constant  risk  vs.  reward  trade-offs 
Not  naturally  a  profit-centric  activity 
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Organizational  challenges  -2 

Not  a  core  competency  of  an  organization 

Requires  everyone  in  the  organization  to  play  a 
part 

Everyone  has  a  different  view  and  objective 
Lack  of  common  language  and  lexicon 
Lack  of  data  and  metrics 

©  2004  by  Carnegie  Mellon  University  Maturing  Your  Approach,  vl.O  page  4 


CarnegieMellon 

Software  Engineering  Institute 

Why  do  we  fail? 

There  are  several  natural  barriers  to 
effectiveness 

May  be  unlike  any  problem  organizations  have 
had  to  solve  (somewhat  resembles  Y2K) 

Complex  problem  requires  an  adaptive,  flexible 
approach 
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Common  problems 

Defining  the  wrong  target 

Focusing  too  narrowly 

Treating  security  as  a  technical  specialty 

Managing  to  regulations 

Failure  to  recognize  complexity 
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Defining  the  wrong  target 


Problem 


Symptoms 


The  desired  outcome  of  the 
security  approach  is 
ambiguous. 


Unclear  security  goals 

Goals  not  well 
communicated 

No  measures  for  success 

Cant  assure  stakeholders 
that  “security"  has  been 
accomplished 
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Narrow  focus 

Problem  Symptoms 

Focus  of  security  approach  Security  viewed  as  a 
technology- centric  technology  problem 

Assumption  that  secure 
technology  =  secure 
organization 
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Technical  specialty 


Problem 

I  mplementation  and 
monitoring  of  security 
approach  is  a  technical 
specialty. 


Symptoms 

CSO/CI  SO  and  security 
professionals  in  technical 
roles 

IT  is  exclusive  domain  of 
security  activities 

IT  owns  security  approach 
or  strategy 


Magazine,  December  15,  2003 
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Regulation-driven 


Problem 


Symptoms 


Regulatory  compliance 
defines  the  purpose  and 
direction  of  the  security 
approach. 


Regulations  overly  influence 
the  approach 

Comply  with  regulations  = 
secure  organization 

Security  standards  derived 
from  regulations 
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Lack  of  flexibility 


Problem 


Symptoms 


The  security  approach 
cannot  adapt  to  changing 
environmental  conditions. 

"The  chief  security 
officer  should  now  be  positioned 
os  a  trusted  advisor  to  the 
business,  moving  away  from 
operational  delivery  towards 
understanding  and 
managing  risk" 


Security  approach  quickly 
obsolete 

Approach  out  of  synch  with 
organization's  strategic 
objectives 

Time  spent  on  securing 
assets  that  are  not  critical 
to  accomplishing  the 
mission 


Source:  Miya  Knight,  www.vnunet.conn/news/1147007 
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Organizational  impacts 

Misalignment  of  operational  and  security  goals 
False  sense  of  accomplishment 
Failure  to  utilize  all  necessary  ski  I  Is/ resources 
Compliance  at  the  expense  of  effectiveness 
Approach  breaks  at  every  twist  and  turn 

Overall  ability  to  manage  security  is  impaired 
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Maturing  your  approach 


©  2004  by  Carnegie  Mellon  University 


Maturing  Your  Approach,  vl.O 


page  13 


— CarnegieMellon 

_  Software  Engineering  Institute 

Change  your  perspective 

Expand  your  objective 

Let  the  organization  drive 

Embrace  the  resiliency  concept 
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Expand  your  objective 

View  the  organization  as  the 
benefactor  of  "security"  not 

IT 


Change  perspective  from 
technical  "network"  to 

organizational  "network" 

Aim  to  make  the 
organization's  mission  both 

sustainable  and 
adaptable  to  its 

environment 
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Let  the  organization  drive 

Use  organizational  drivers — mission,  strategic 
objectives,  goals,  CSFs — as  the  foundation  for 
security 

Align  security  strategy  and  approach  with  drivers 
and  ensure  they  are  adaptable  to  changes 

Aim  for  sponsorship  as  high  in  the  organization 
as  possible 
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Move  from  security  to  resiliency 


Resiliency 


Survivability 


Security 
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What  is  resiliency? 

Physical  property  of  a  material  that  allows  it  to 
spring  back  after  deformation  that  has  not 
exceeded  its  elastic  limit  [www.cogsd.princeton.edu] 

".  .  .ability  to  withstand  systemic  discontinuities" 

[Booz  Allen] 

.  .ability  to  adapt  to  new  risk  environments" 

[Booz  Allen] 


Source:  Booz  Allen  -  Enterprise  Resilience:  Managing  Risk  in  the  Networked  Economy 
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Security  vs.  resiliency 


Security 

Asset-focused 

Reactive 

Protective  (defensive 
posture) 

Maintain  and  sustain 
Active 


Resiliency 

Organization-focused 

Proactive 

Adaptive  (offensive 
posture) 

Sustain  and  improve 
T  ransparent 
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Resilient  organizations 

Align  capabilities  to  collaborate 

Elevate  risk  management  to  organizational  level 

Rely  on  the  system  of  internal  controls 

Sense,  respond,  and  improve 

Establish  transparency 
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Moving  toward  resiliency  -1 

Sharpen  the  target 

Utilize  critical  success  factors  for  alignment 

Utilize  and  mobilize  the  capabilities  of  the 
organization 

I  nvolve  the  right  people — spread  responsibility 
throughout  organization 
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Moving  toward  resiliency  -2 

Rely  on  operational  excellence 
Rely  on  strong  system  of  internal  controls 
Manage  as  a  process  and  improve 
Select  metrics  for  success  and  measure! 
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Questions? 
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For  more  information 

Networked  Systems  Survivability  Program 
Software  Engineering  I  nstitute 
Carnegie  Mellon  University 
4500  Fifth  Avenue 
Pittsburgh  PA  15213  USA 

www.sei.cmu.edu 

www.cert.org 

Rich  Caralli 
rcaralli@sei.cmu.edu 
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